agentskeptic 4.2.0 → 6.0.0

package/dist/trustDecision.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"trustDecision.d.ts","sourceRoot":"","sources":["../src/trustDecision.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAEpE,8DAA8D;AAC9D,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE1D;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,WAAW,EAAE,oBAAoB,GAAG,aAAa,CAK7F"}
+{"version":3,"file":"trustDecision.d.ts","sourceRoot":"","sources":["../src/trustDecision.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,oCAAoC,EACpC,yBAAyB,EACzB,+BAA+B,EAC/B,oBAAoB,EACrB,MAAM,yBAAyB,CAAC;AAEjC,8DAA8D;AAC9D,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE1D,wBAAgB,+BAA+B,CAAC,MAAM,EAAE;IACtD,OAAO,EAAE,yBAAyB,CAAC;IACnC,aAAa,EAAE,+BAA+B,CAAC;IAC/C,kBAAkB,EAAE,oCAAoC,CAAC;CAC1D,GAAG,aAAa,CAKhB;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,WAAW,EAAE,oBAAoB,GAAG,aAAa,CAM7F"}

package/dist/trustDecision.js

@@ -1,13 +1,20 @@
-/**
- * Derive trust from Outcome Certificate v1 (normative: quick_preview is never high-stakes safe).
- */
-export function trustDecisionFromCertificate(certificate) {
-    if (certificate.runKind === "quick_preview")
+export function trustDecisionFromRelianceFields(params) {
+    if (params.runKind === "quick_preview")
         return "unknown";
-    if (certificate.highStakesReliance === "permitted")
+    if (params.highStakesReliance === "permitted")
         return "safe";
-    if (certificate.stateRelation === "does_not_match")
+    if (params.stateRelation === "does_not_match")
         return "unsafe";
     return "unknown";
 }
+/**
+ * Derive trust from Outcome Certificate v1 (normative: quick_preview is never high-stakes safe).
+ */
+export function trustDecisionFromCertificate(certificate) {
+    return trustDecisionFromRelianceFields({
+        runKind: certificate.runKind,
+        stateRelation: certificate.stateRelation,
+        highStakesReliance: certificate.highStakesReliance,
+    });
+}
 //# sourceMappingURL=trustDecision.js.map

package/dist/trustDecision.js.map

@@ -1 +1 @@
-{"version":3,"file":"trustDecision.js","sourceRoot":"","sources":["../src/trustDecision.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAAC,WAAiC;IAC5E,IAAI,WAAW,CAAC,OAAO,KAAK,eAAe;QAAE,OAAO,SAAS,CAAC;IAC9D,IAAI,WAAW,CAAC,kBAAkB,KAAK,WAAW;QAAE,OAAO,MAAM,CAAC;IAClE,IAAI,WAAW,CAAC,aAAa,KAAK,gBAAgB;QAAE,OAAO,QAAQ,CAAC;IACpE,OAAO,SAAS,CAAC;AACnB,CAAC"}
+{"version":3,"file":"trustDecision.js","sourceRoot":"","sources":["../src/trustDecision.ts"],"names":[],"mappings":"AAUA,MAAM,UAAU,+BAA+B,CAAC,MAI/C;IACC,IAAI,MAAM,CAAC,OAAO,KAAK,eAAe;QAAE,OAAO,SAAS,CAAC;IACzD,IAAI,MAAM,CAAC,kBAAkB,KAAK,WAAW;QAAE,OAAO,MAAM,CAAC;IAC7D,IAAI,MAAM,CAAC,aAAa,KAAK,gBAAgB;QAAE,OAAO,QAAQ,CAAC;IAC/D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAAC,WAAiC;IAC5E,OAAO,+BAA+B,CAAC;QACrC,OAAO,EAAE,WAAW,CAAC,OAAO;QAC5B,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,kBAAkB,EAAE,WAAW,CAAC,kBAAkB;KACnD,CAAC,CAAC;AACL,CAAC"}

package/dist/verify/batchVerifyTelemetrySubcommand.js

@@ -208,7 +208,7 @@ export async function runBatchVerifyWithTelemetrySubcommand(batchArgs, opts) {
             const shareOrigin = parsedBatch.shareReportOrigin;
             if (shareOrigin !== undefined) {
                 const shareRes = await postPublicVerificationReport(shareOrigin, {
-                    schemaVersion: 2,
+                    schemaVersion: 3,
                     certificate,
                 });
                 if (!shareRes.ok) {
@@ -329,7 +329,7 @@ export async function runBatchVerifyWithTelemetrySubcommand(batchArgs, opts) {
                         throw new TruthLayerError(CLI_OPERATIONAL_CODES.WORKFLOW_RESULT_SCHEMA_INVALID, JSON.stringify(validateWf.errors ?? []));
                     }
                     const certificate = buildOutcomeCertificateLangGraphCheckpointTrustFromWorkflowResult(workflowResult);
-                    const validateCert = loadSchemaValidator("outcome-certificate-v1");
+                    const validateCert = loadSchemaValidator("outcome-certificate-v3");
                     if (!validateCert(certificate)) {
                         throw new TruthLayerError(CLI_OPERATIONAL_CODES.WORKFLOW_RESULT_SCHEMA_INVALID, JSON.stringify(validateCert.errors ?? []));
                     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentskeptic",
-  "version": "4.2.0",
+  "version": "6.0.0",
   "description": "Structured tool activity vs downstream state at verify time: SQL (SQLite, Postgres, MySQL), HTTP witnesses, supported vector indexes, MongoDB documents, and S3-compatible objects when configured—deterministic verdict artifacts (see verification-state-stores.md).",
   "license": "MIT",
   "type": "module",
@@ -24,9 +24,9 @@
   },
   "scripts": {
     "prepublishOnly": "node scripts/build-commercial.mjs",
-    "codegen:types": "openapi-typescript schemas/openapi-commercial-v1.yaml -o src/sdk/_generated/openapi-types.ts",
+    "codegen:types": "node ./node_modules/openapi-typescript/bin/cli.js schemas/openapi-commercial-v1.yaml -o src/sdk/_generated/openapi-types.ts",
     "codegen:error-codes": "node scripts/generate-agentskeptic-error-codes.mjs",
-    "build": "node scripts/materialize-first-five-minutes.mjs && node scripts/write-commercial-build-flags.mjs --oss && node scripts/sync-failure-origin-from-schema.mjs && tsc && node scripts/write-execution-identity.mjs && node scripts/copy-cli-init-assets.mjs && node scripts/copy-debug-ui.mjs && node scripts/write-discovery-payload.mjs",
+    "build": "node scripts/materialize-first-five-minutes.mjs && node scripts/write-commercial-build-flags.mjs --oss && node scripts/sync-failure-origin-from-schema.mjs && node ./node_modules/typescript/bin/tsc && node scripts/write-execution-identity.mjs && node scripts/copy-cli-init-assets.mjs && node scripts/copy-debug-ui.mjs && node scripts/write-discovery-payload.mjs",
     "build:commercial": "node scripts/build-commercial.mjs",
     "start": "npm run build && node scripts/demo.mjs",
     "dev": "npm run dev -w agentskeptic-web",
@@ -109,6 +109,7 @@
     "openapi-typescript": "^7.10.1",
     "semantic-release": "^25.0.0",
     "stripe": "^17.5.0",
+    "tsx": "^4.21.0",
     "typescript": "^5.7.2",
     "vitest": "^4.1.4"
   },

package/schemas/decision-evidence-exit-v1.schema.json

@@ -8,6 +8,6 @@
   "properties": {
     "schemaVersion": { "const": 1 },
     "exitCode": { "type": "integer", "minimum": 0, "maximum": 3 },
-    "cliConvention": { "const": "outcome_certificate_v1" }
+    "cliConvention": { "const": "outcome_certificate_v2" }
   }
 }

package/schemas/evidence-completeness-v1.schema.json

@@ -0,0 +1,87 @@
+{
+  "$id": "https://agentskeptic.com/schemas/evidence-completeness-v1.schema.json",
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "EvidenceCompletenessV1",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "blockerCategory",
+    "quickSignal",
+    "verifiedClaims",
+    "unverifiedClaims",
+    "missingInputs",
+    "nextActions"
+  ],
+  "properties": {
+    "schemaVersion": { "type": "integer", "const": 1 },
+    "blockerCategory": {
+      "type": "string",
+      "enum": [
+        "none",
+        "preview_lane",
+        "ingest_empty",
+        "ingest_unstructured",
+        "registry_unknown_tool",
+        "registry_resolution",
+        "database_access",
+        "timing_or_window",
+        "witness_unavailable",
+        "state_mismatch",
+        "verification_incomplete",
+        "event_sequence",
+        "control_flow_context",
+        "unclassified"
+      ]
+    },
+    "quickSignal": {
+      "type": "string",
+      "enum": [
+        "na",
+        "no_actions",
+        "no_structured_activity",
+        "no_sql_candidates",
+        "sql_ran_uncertain",
+        "sql_ran_failed",
+        "sql_ran_passed"
+      ]
+    },
+    "verifiedClaims": {
+      "type": "array",
+      "maxItems": 24,
+      "items": { "type": "string", "minLength": 1, "maxLength": 160 }
+    },
+    "unverifiedClaims": {
+      "type": "array",
+      "maxItems": 24,
+      "items": { "type": "string", "minLength": 1, "maxLength": 160 }
+    },
+    "missingInputs": {
+      "type": "array",
+      "maxItems": 8,
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["code", "hint"],
+        "properties": {
+          "code": { "type": "string", "minLength": 1, "maxLength": 72 },
+          "hint": { "type": "string", "minLength": 1, "maxLength": 400 }
+        }
+      }
+    },
+    "nextActions": {
+      "type": "array",
+      "minItems": 1,
+      "maxItems": 3,
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["id", "text"],
+        "properties": {
+          "id": { "type": "string", "minLength": 1, "maxLength": 64, "pattern": "^[a-z][a-z0-9_]{0,63}$" },
+          "text": { "type": "string", "minLength": 1, "maxLength": 500 }
+        }
+      }
+    }
+  }
+}

package/schemas/failure-spine-v1.schema.json

@@ -0,0 +1,38 @@
+{
+  "$id": "https://agentskeptic.com/schemas/failure-spine-v1.schema.json",
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "FailureSpineV1",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "trustDecision",
+    "summary",
+    "actionableFailure",
+    "primaryCodes",
+    "rerunGuidance",
+    "source"
+  ],
+  "properties": {
+    "schemaVersion": { "type": "integer", "const": 1 },
+    "trustDecision": {
+      "type": "string",
+      "enum": ["safe", "unsafe", "unknown"]
+    },
+    "summary": { "type": "string", "minLength": 1, "maxLength": 2048 },
+    "actionableFailure": {
+      "$ref": "https://agentskeptic.com/schemas/workflow-truth-report.schema.json#/$defs/actionableFailure"
+    },
+    "primaryCodes": {
+      "type": "array",
+      "minItems": 1,
+      "maxItems": 24,
+      "items": { "type": "string", "minLength": 1, "maxLength": 256 }
+    },
+    "rerunGuidance": { "type": "string", "minLength": 1, "maxLength": 512 },
+    "source": {
+      "type": "string",
+      "enum": ["workflow", "quick", "ineligible_langgraph"]
+    }
+  }
+}

package/schemas/material-truth-v2.schema.json

@@ -0,0 +1,83 @@
+{
+  "$id": "https://agentskeptic.com/schemas/material-truth-v2.schema.json",
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "MaterialTruthV2",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "schemaVersion",
+    "workflowId",
+    "runKind",
+    "stateRelation",
+    "reasonCodes",
+    "steps",
+    "checkpointVerdicts",
+    "evidenceGapPrimary"
+  ],
+  "properties": {
+    "schemaVersion": { "type": "integer", "const": 2 },
+    "workflowId": { "type": "string", "minLength": 1, "maxLength": 512 },
+    "runKind": {
+      "type": "string",
+      "enum": ["contract_sql", "contract_sql_langgraph_checkpoint_trust", "quick_preview"]
+    },
+    "stateRelation": {
+      "type": "string",
+      "enum": ["matches_expectations", "does_not_match", "not_established"]
+    },
+    "reasonCodes": {
+      "type": "array",
+      "items": { "type": "string", "minLength": 1, "maxLength": 256 }
+    },
+    "evidenceGapPrimary": {
+      "type": "string",
+      "enum": [
+        "none",
+        "preview_lane",
+        "ingest_empty",
+        "ingest_unstructured",
+        "registry_unknown_tool",
+        "registry_resolution",
+        "database_access",
+        "timing_or_window",
+        "witness_unavailable",
+        "state_mismatch",
+        "verification_incomplete",
+        "event_sequence",
+        "control_flow_context",
+        "unclassified"
+      ]
+    },
+    "steps": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["seq", "toolId", "declaredAction", "expectedOutcome", "observedOutcome"],
+        "properties": {
+          "seq": { "type": "integer", "minimum": 0 },
+          "toolId": { "type": "string", "maxLength": 512 },
+          "declaredAction": { "type": "string", "minLength": 1, "maxLength": 4096 },
+          "expectedOutcome": { "type": "string", "minLength": 1, "maxLength": 4096 },
+          "observedOutcome": { "type": "string", "minLength": 1, "maxLength": 8192 }
+        }
+      }
+    },
+    "checkpointVerdicts": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["checkpointKey", "verdict", "seqs"],
+        "properties": {
+          "checkpointKey": { "type": "string", "minLength": 1, "maxLength": 2048 },
+          "verdict": { "type": "string", "enum": ["verified", "inconsistent", "incomplete"] },
+          "seqs": {
+            "type": "array",
+            "items": { "type": "integer", "minimum": 0 }
+          }
+        }
+      }
+    }
+  }
+}

package/schemas/openapi-commercial-v1.in.yaml

@@ -12,7 +12,7 @@ info:
     url: __CONTRACT_URL__
     version: __CONTRACT_VERSION__
     manifestSha256: __CONTRACT_SHA__
-  description: "__IDENTITY_ONE_LINER__\n\nMachine-readable contract for license preflight used by the published npm CLI.\nBase URL is your deployed app origin (same as NEXT_PUBLIC_APP_URL).\n\nEvery path in this document returns an `x-request-id` response header on all status codes (echo a valid client `x-request-id` when supplied; otherwise server-generated). Non-2xx JSON bodies follow RFC 7807-style Problem Details (`type`, `title`, `status`, `detail`, optional `code`, `instance`) unless noted; `POST /api/v1/usage/reserve` denials additionally include legacy `allowed`, `code`, `message`, and optional `upgrade_url` for backward compatibility.\n"
+  description: "__IDENTITY_ONE_LINER__\n\nMachine-readable contract for license preflight used by the published npm CLI.\nBase URL is your deployed app origin (same as NEXT_PUBLIC_APP_URL).\n\nEvery path in this document returns an `x-request-id` response header on all status codes (echo a valid client `x-request-id` when supplied; otherwise server-generated). Non-2xx JSON bodies follow RFC 7807-style Problem Details (`type`, `title`, `status`, `detail`, optional `code`, `instance`) unless noted; `POST /api/v1/usage/reserve` denials additionally include legacy `allowed`, `code`, `message`, and optional `upgrade_url` for backward compatibility.\n\n**Breaking (agentskeptic 5.x):** Hosted enforcement ingestion uses `schema_version` 3 with `outcome_certificate` (Outcome Certificate v3 inner JSON, including `failureSpine`). Legacy `schema_version` 2 payloads with `outcome_certificate_v1` are rejected. `POST /api/v1/funnel/verify-outcome` requires `schema_version` 3 and `evidence_gap_primary`. `POST /api/public/verification-reports` accepts envelope `schemaVersion` 3 only. **HTTP 4xx/5xx** responses are **not** `failure-spine-v1` and are **not** Outcome Certificate-shaped; operational CLI errors use `cli-error-envelope` on stderr only.\n"
 externalDocs:
   description: "First-run integration guide"
   url: __DISTRIBUTION_INTEGRATE_URL__
@@ -125,7 +125,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/EnforcementEvidenceRequestV2"
+              $ref: "#/components/schemas/EnforcementEvidenceRequestV3"
       responses:
         "200":
           description: Lifecycle transition completed
@@ -162,7 +162,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/EnforcementEvidenceRequestV2"
+              $ref: "#/components/schemas/EnforcementEvidenceRequestV3"
       responses:
         "200":
           description: Check completed (match, open drift, rerun pass/fail, etc.)
@@ -187,7 +187,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/EnforcementAcceptEvidenceRequestV2"
+              $ref: "#/components/schemas/EnforcementAcceptEvidenceRequestV3"
       responses:
         "200":
           description: Baseline updated; rerun POST /check required before returning to trusted-only posture
@@ -315,7 +315,7 @@ paths:
       summary: Licensed verify-outcome beacon (idempotent per API key + run_id)
       description: >
         POST after a successful `POST /api/v1/usage/reserve` for the same `run_id`. Success is HTTP 204 with an empty body.
-        Requires Bearer API key. Body schemaVersion must be 2.
+        Requires Bearer API key. Body `schema_version` must be 3 (`VerifyOutcomeRequestV3`). `evidence_gap_primary` duplicates `certificate.evidenceCompleteness.blockerCategory` at CLI emission time.
       security:
         - bearerAuth: []
       requestBody:
@@ -323,7 +323,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/VerifyOutcomeRequestV2"
+              $ref: "#/components/schemas/VerifyOutcomeRequestV3"
       responses:
         "204":
           description: Beacon accepted (or duplicate ignored)
@@ -556,27 +556,28 @@ components:
       scheme: bearer
       bearerFormat: API key
   schemas:
-    EnforcementEvidenceRequestV2:
+    EnforcementEvidenceRequestV3:
       type: object
-      required: [schema_version, run_id, workflow_id, outcome_certificate_v1, material_truth_sha256, certificate_sha256]
+      required: [schema_version, run_id, workflow_id, outcome_certificate, material_truth_sha256, certificate_sha256]
       properties:
         schema_version:
           type: integer
-          const: 2
+          const: 3
         run_id:
           type: string
         workflow_id:
           type: string
-        outcome_certificate_v1:
+        outcome_certificate:
           type: object
           additionalProperties: true
+          description: Outcome Certificate v2 JSON (schemaVersion 2) including evidenceCompleteness
         material_truth_sha256:
           type: string
         certificate_sha256:
           type: string
     EnforcementFsmEnvelopeV2:
       type: object
-      description: Hosted enforcement lifecycle + verification attempt payload (schema_version 2).
+      description: Hosted enforcement lifecycle response envelope for POST /check | /baselines | /accept (schema_version 2 on responses; distinct from evidence ingestion schema_version 3).
       required: [schema_version, code]
       properties:
         schema_version:
@@ -587,9 +588,9 @@ components:
         quota_enforced_via_reserve:
           type: boolean
       additionalProperties: true
-    EnforcementAcceptEvidenceRequestV2:
+    EnforcementAcceptEvidenceRequestV3:
       allOf:
-        - $ref: "#/components/schemas/EnforcementEvidenceRequestV2"
+        - $ref: "#/components/schemas/EnforcementEvidenceRequestV3"
         - type: object
           required: [expected_projection_hash, lifecycle_state_version]
           properties:
@@ -715,13 +716,14 @@ components:
           type: string
         code:
           type: string
-    VerifyOutcomeRequestV2:
+    VerifyOutcomeRequestV3:
       type: object
       required:
         - schema_version
         - run_id
         - workflow_id
         - trust_decision
+        - evidence_gap_primary
         - reason_codes
         - terminal_status
         - workload_class
@@ -729,7 +731,7 @@ components:
       properties:
         schema_version:
           type: integer
-          const: 2
+          const: 3
         run_id:
           type: string
           maxLength: 256
@@ -739,6 +741,24 @@ components:
         trust_decision:
           type: string
           enum: [safe, unsafe, unknown]
+        evidence_gap_primary:
+          type: string
+          enum:
+            - "none"
+            - "preview_lane"
+            - "ingest_empty"
+            - "ingest_unstructured"
+            - "registry_unknown_tool"
+            - "registry_resolution"
+            - "database_access"
+            - "timing_or_window"
+            - "witness_unavailable"
+            - "state_mismatch"
+            - "verification_incomplete"
+            - "event_sequence"
+            - "control_flow_context"
+            - "unclassified"
+          description: Mirrors Outcome Certificate evidenceCompleteness.blockerCategory at CLI emission time
         reason_codes:
           type: array
           maxItems: 8
@@ -752,7 +772,12 @@ components:
           enum: [bundled_examples, non_bundled]
         subcommand:
           type: string
-          enum: [batch_verify, quick_verify, verify_integrator_owned]
+          enum: [batch_verify, quick_verify, verify_integrator_owned, activate]
+        activation:
+          description: Present only when subcommand is activate (mirrors ActivationManifest-derived wire)
+          type: object
+          nullable: true
+          additionalProperties: true
     TrustDecisionRecordRequestV1:
       type: object
       additionalProperties: false
@@ -792,8 +817,8 @@ components:
           $ref: "#/components/schemas/TrustCertificateSnapshotRequestV1"
         human_blocker_lines:
           type: array
-          minItems: 6
-          maxItems: 6
+          minItems: 1
+          maxItems: 48
           items:
             type: string
     TrustCertificateSnapshotRequestV1:
@@ -907,8 +932,8 @@ components:
       additionalProperties: false
     PublicVerificationReportCreate:
       description: >
-        POST accepts schemaVersion 2 only: { "schemaVersion": 2, "certificate": <OutcomeCertificateV1> } per
-        schemas/public-verification-report-v2.schema.json. Legacy v1 envelopes are rejected with HTTP 400.
+        POST accepts schemaVersion 3 only: { "schemaVersion": 3, "certificate": <OutcomeCertificateV2> } per
+        schemas/public-verification-report-v3.schema.json. Legacy envelope POST bodies return HTTP 400.
       type: object
       additionalProperties: true
     PublicVerificationReportCreated:
@@ -921,7 +946,7 @@ components:
       properties:
         schemaVersion:
           type: integer
-          const: 2
+          const: 3
         id:
           type: string
           format: uuid